Given the US government's recent decision to ban the use of Kaspersky AV software, one might assume Kaspersky itself acted maliciously. But the details in the story -- along with analysis from other journalists and researchers -- suggests the AV software may have done nothing more than its job.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

A few interesting details stand out:

First, the discovery of files via antivirus software was made easier by the way Kaspersky AV operates.

It’s basically the equivalent of digital dumpster diving,” said Blake Darché, a former NSA employee who worked in the agency’s elite hacking group that targets foreign computer systems.

Kaspersky is “aggressive” in its methods of hunting for malware, Mr. Darché said, “in that they will make copies of files on a computer, anything that they think is interesting.” He said the product’s user license agreement, which few customers probably read, allows this.

The combined guesswork of the Wall Street Journal's sources suggest snippets of NSA malware code were discovered on a contractor's personal computer. Kaspersky AV has been banned from use inside the NSA for years, but nothing prevents NSA contractors from installing it on their home computers. In this case, a contractor had files on their personal computer that never should have left the NSA. (Well… at least not in this fashion. Taking sensitive files off grounds can be a criminal offense. Deploying these files to compromise computers and devices around the world, however, is just the daily work of the NSA's Tailored Access Operations.)

The unanswered question appears to be how state-sponsored Russian hackers determined which computer to target. Some suspect Kaspersky employees informed the Russian government of their discovery, but the Journal article offers no clarifying statements.

[N]one of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.

We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.

It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.

The employee involved was a Vietnamese national who had worked at Tailored Access Operations, the elite hacking division of the NSA that develops tools to penetrate computers overseas to gather foreign intelligence, said the individuals, who spoke on condition of anonymity to discuss an ongoing case. He was removed from the job in 2015, but was not thought to have taken the materials for malicious purposes such as handing them to a foreign spy agency, they said.

One NSA figure who may not survive this third major breech is its boss, Mike Rogers. His head was on the chopping block for breaches under his command back when Obama was still in office. A third major breach of NSA security may be a breach too far.

In a few short years, the NSA has gone from "No Such Agency" to the world's best unofficial source of malware. It's something to keep in mind every time the agency pitches an expansion of surveillance powers. It can't keep an eye on its own backyard because it's too busy staring into everyone else's.

from the super-effective dept

We've long talked about the problems that come along with government mandating ISPs to act as copyright police by blocking so-called "pirate" websites. The issues with these attempts are many, ranging from their muted impact on piracy to concerns over just how a website is deemed to be a "pirate" website to the inevitable collateral damage sustained by non-infringing sites. With the last of those, you can pretty much set your watch to the stories of innocent sites being caught up in this sort of censorship. Still, the breadth of this particular problem likely escapes many people.

To get a handle on the sort of scope we're talking about, we can take a look at Russia. In response to international accusations of the government being lax on matters of copyright infringement, Russia enacted legislation in 2013 that tasked ISPs and hosting providers with blocking pirate websites. It's been nearly half a decade, so let's check in and see what sort of impact that legislation has had.

More than four years on, Russia is still grappling with a huge piracy problem that refuses to go away. It has been blocking thousands of sites at a steady rate, including RuTracker, the country's largest torrent platform, but still the problem persists.

Now, a new report produced by Roskomsvoboda, the Center for the Protection of Digital Rights, and the Pirate Party of Russia, reveals a system that has not only failed to reach its stated aims but is also having a negative effect on the broader Internet.

According to that study, the numbers come out to roughly 4,000 sites blocked that are the actual sort of website the Russian government meant to target and 41,000 sites that are essentially purely collateral damage. The reason for this is that the nature of the legal proceedings in these sorts of cases is such that the actual site operators basically never show up in court. Instead, the ISPs and hosting providers do, and are then ordered to block these pirate sites by IP addresses, among other methods. These IP addresses can be shared, however, meaning that any third party sharing an IP address with the target of a block order from the courts are caught up and likewise censored.

Due to the legal requirement to block sites by both IP address and other means, third-party sites with shared IP addresses get caught up as collateral damage. The report states that more than 41,000 innocent sites have been blocked as the result of supposedly targeted court orders.

But with collateral damage mounting, the main issue as far as copyright holders are concerned is whether piracy is decreasing as a result. The report draws few conclusions on that front but notes that blocks are a blunt instrument. While they may succeed in stopping some people from accessing ‘pirate’ domains, the underlying infringement carries on regardless.

“Blocks create restrictions only for Internet users who are denied access to sites, but do not lead to the removal of illegal information or prevent intellectual property violations,” the researchers add.

So, the blunt instrument of censorship has been fairly bad at stopping copyright infringement, it's stated goal, but quite good at censoring innocent sites at a factor of ten to one compared with the actual targets of the censoring. That's the kind of failure that's so bad it's impressive. One would think the Russian government would be looking to overhaul the legislation and censorship program to start driving these numbers back into the realm of reason. But this is Russia we're talking about, so instead the country is ramping up its censorship efforts, with requirements for search results to omit "pirate" sites and by criminalizing VPNs.

It's enough that you start to wonder just how many websites the average Russian citizen will be able to access at all before long.

from the don't-trust-anonymous-sources-unless-you-agree-with-them dept

While we wait for the Mueller investigation to clearly illustrate if and how Russia meddled in the last election, there's no shortage of opinions regarding how deep this particular rabbit hole goes. While it's pretty obvious that Putin used social media and media propaganda to pour some napalm on our existing bonfires of dysfunction, just how much of an impact these efforts had on the election won't be clear until a full postmortem is done. Similarly, while Russian hackers certainly had fun probing our voting systems and may have hacked both political parties, clearly proving state involvement is something else entirely.

Quite fairly, many folks have pushed for caution in terms of waiting for hard evidence to emerge, highlighting the danger in trusting leaks from an intelligence sector with a dismal track record of integrity and honesty. There's also the obvious concern of ramping up tension escalation between two nuclear powers. But last week, many of those same individuals were quick to highlight several new stories that claimed to "completely debunk" Russia's involvement in hacking the DNC ahead of last year's election. The problem? These reports were about as flimsy -- if not flimsier -- than the Russian hacking theories they supposedly supplanted.

In fact, these reports took things one step further by claiming that the hack of the DNC was something committed solely by someone within the DNC itself. This particularly overlong, meandering piece by The Nation, for example, claimed to cite numerous anonymous intelligence sources who have supposedly grown increasingly skeptical over the "Russian hacking narrative." Quite correctly, the report starts out by noting that while there's oodles and oodles of smoke regarding Putin's involvement in the election hacks, the fire (hard evidence) has been hard to come by so far:

"Lost in a year that often appeared to veer into our peculiarly American kind of hysteria is the absence of any credible evidence of what happened last year and who was responsible for it. It is tiresome to note, but none has been made available. Instead, we are urged to accept the word of institutions and senior officials with long records of deception. These officials profess “high confidence” in their “assessment” as to what happened in the spring and summer of last year—this standing as their authoritative judgment.

But it's then that's where things get a little weird. The report repeatedly proclaims that a laundry list of anonymous "forensic investigators, intelligence analysts, system designers, program architects, and computer scientists of long experience and strongly credentialed" have been hard at work "producing evidence disproving the official version of key events last year." But one of the key conclusions by these experts -- and a key cornerstone for of all of these stories -- makes absolutely no sense.

The reports lean heavily on anonymous cybersecurity experts calling themselves "Forensicator" and "Adam Carter," who purportedly took a closer look at the metadata attached to the stolen files. Said metadata, we're breathlessly informed, indisputably proves that the data had to have been transferred from inside of the DNC network and not over the internet, since the internet isn't supposedly capable of such transfer speeds:

"Forensicator’s first decisive findings, made public in the paper dated July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate—the time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.

These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed. Compounding this contradiction, Guccifer claimed to have run his hack from Romania, which, for numerous reasons technically called delivery overheads, would slow down the speed of a hack even further from maximum achievable speeds."

That reads like a semi-cogent paragraph, but it's largely nonsense. 22.7 megabytes per second (MB/s) sounds impossibly fast if you don't know any better. But if you do the simple conversion from megabytes per second to megabits per second necessary to determine the actual speed of the connection used, you get a fairly reasonable 180 megabits per second (Mbps). While the report proclaims that "no internet service provider" can provide such speeds, ISPs around the world routinely offer speeds far, far faster -- from 500 Mbps to even 1 Gbps.

And despite the report oddly pooh pooh'ing Romanian broadband's "delivery overheads," many Romanian cities actually have faster internet connectivity than either Russia or in the States (check out Akamai's global broadband rankings). Bernie Sanders learned this last year when he unintentionally pissed off many Romanians when trying to highlight the dismal state of U.S. connectivity. Even then, the hacker in question could have used any number of tricks to hide his or her location and real identity from a high-bandwidth vantage point, so the claim that the hacker couldn't achieve 180 Mbps through a VPN is simply nonsense.

Obviously this raises some questions about what kind of cyber-sleuths we're talking about when they can't do basic conversions or look at some fairly obvious broadband speed availability charts. And it also raises some questions about why reporters thought flimsy anonymous experts were the perfect remedy to the other flimsy anonymous leaks they hoped to debunk. While The Nation couldn't even be bothered to do the simple calculation to determine the speed of the connection used by the hacker was relatively ordinary, in a story titled "Why Some U.S. Ex-Spies Don't Buy the Russia Story," Bloomberg actually did the conversion to get the 180 Mbps speed, and still somehow told readers that such speeds were impossible:

"The VIPS theory relies on forensic findings by independent researchers who go by the pseudonyms "Forensicator" and "Adam Carter." The former found that 1,976 MB of Guccifer's files were copied from a DNC server on July 5 in just 87 seconds, implying a transfer rate of 22.6 megabytes per second -- or, converted to a measure most people use, about 180 megabits per second, a speed not commonly available from U.S. internet providers. Downloading such files this quickly over the internet, especially over a VPN (most hackers would use one), would have been all but impossible because the network infrastructure through which the traffic would have to pass would further slow the traffic."

Yes, all but impossible! Provided you ignore that DOCSIS 3.1 cable upgrades and fiber connections deliver speeds consistently faster than that all around the world every day -- including Romania. False claims and sloppy math aside, after the Bloomberg column ran, several actual, identifiable intelligence experts also came forward doubting the legitimacy of the supposed intelligence sources for these stories altogether:

Where else besides twitter can you find two former CIA officers with experience in Russia knocking down a dodgy Bloomberg column? pic.twitter.com/t9zPk7tGG9

Surrounded by raised eyebrows, The Nation is now apparently reviewing its story for accuracy after numerous people highlighted that a major cornerstone of the report was little more than fluff and nonsense. Bloomberg has so far failed to follow suit.

So again, there's certainly every reason to not escalate hostility between the United States and Russia with many details still obfuscated and investigations incomplete. And there's also every reason to view reports leaning heavily on anonymous intelligence insiders skeptically after generations of distortions and falsehoods from those same agencies. That said, if you want to debunk the anonymous claims of a growing number of intelligence insiders who claim Russia played pinball with our electoral process, perhaps running into the arms of even more unreliable, anonymous intelligence sources -- without checking your math -- isn't your best path toward the truth.

from the who-needs-privacy-anyway dept

We've noted for some time that Russia has been engaged in a slow but steady assault on privacy tools like VPNs. As with most countries that have an adversarial relationship with the truth, the entire effort has been couched as necessary to protect national security and cultural morality, though the real agenda is to help prop up the country's domestic surveillance efforts and Putin's ham-fisted internet filters. This push accelerated with a new surveillance bill last year that not only mandated new encryption backdoors, but also imposed harsh new data-retention requirements on ISPs and VPN providers.

The State Duma on Friday unanimously passed a bill that would oblige Internet providers to block websites that offer VPN services. Many Russians use VPNs to access blocked content by routing connections through servers outside the country. The lawmakers behind the bill argued that the move could help to enforce Russia's ban on disseminating extremist content online. The bill has to be approved at the upper chamber of parliament and signed by the president before it comes into effect.

Leonid Levin, the head of Duma's information policy committee, has said the law is not intended to impose restrictions on law-abiding citizens but is meant only to block access to "unlawful content," RIA news agency said.

Needless to say, this wasn't received particularly well by Russian citizens that enjoy having something vaguely-resembling privacy, with 1,000 or so protesting in Moscow last weekend over the looming law:

Pavel Rassudov, 34, the former head of the Pirate Party campaign group, said at the march that "restrictions on the internet began in 2011," as the opposition to Putin held mass rallies in Moscow. "The authorities realised the Internet was a tool for mobilisation, that it brings people out onto the streets," Rassudov said. Another marcher, Lyudmila Toporova, 56, said she came to the rally because "Freedom is the most important thing in life. That's why I'm here."

Of course the end result of this kind of ridiculous policy is that encryption itself is undermined, and everybody winds up less secure. And while you'd like to think this sort of thing wouldn't happen here in the States, if you've watched the endless efforts to undermine encryption and demonize VPNs, the last five years or so, we're probably only a domestic terrorist attack or two away from voters being scared into supporting similar idiotic policy for the "safety and security" of the republic.

from the well,-that-wasn't-predictable-at-all dept

A few weeks ago, we warned about a dangerous new German law that would fine social media companies if they didn't magically block "hate speech" on their platforms. As we pointed out, this would lead to widespread censorship, as the risk of liability for leaving up even borderline speech would be massive. And, equally important, this would embolden oppressive, dictatorial and autocratic regimes to press on with their own crackdowns on free speech by using laws like this one and claiming that they're doing the exact same thing as supposedly democratic nations like Germany.

Reporters Without Borders (RSF) condemns a Russian bill that would force social networks to remove “unlawful” content within 24 hours of notification. It is based very closely on a law that was adopted in Germany on 30 June.

The Russian bill shows that when leading democracies devise draconian legislation, they provide repressive regimes with ideas. Submitted to the Duma on 12 July by members of President Vladimir Putin’s United Russia party, the bill’s references to the German law are explicit.

Just like the German bill, the Russian bill would allow anyone to claim certain content is "unlawful" and then the platforms would have 24 hours to remove the content or face massive fines. This will, inevitably, enable much greater control and censorship (already an issue in Russia). But it will be more difficult to argue that Russia is doing something "bad" here as the Russians will quickly point out that Germany has identical legislation. And I wouldn't be surprised to see other countries, such as Iran or China, put in place similar "laws" themselves.

from the ETERNALPWNAGE dept

Leaked NSA exploits have now been the basis for two massive cyberattacks. The first -- Wannacry -- caught hospitals and other critical infrastructure across several nations in the crossfire, using a tool built on the NSA's ETERNALBLUE exploit backbone. The second seems to be targeting Ukraine, causing the same sort of havoc but with a couple of particularly nasty twists.

It soon became apparent it didn't matter what Posteo did, no matter how clueless or ill-advised. There was no retrieving files even if ransoms were paid. Two separate sets of security researchers examined the so-called ransomware and discovered Petya is actually a wiper. Once infected, victims' files are as good as gone. No amount of bitcoin is going to reverse the inevitable. The ransomware notices were only there to draw attention to the infection and away from the malware's true purpose.

Both cases are considered to be attacks by nation states. Inconsistently-applied patches -- most of them released with zero information by Microsoft -- have led to an insane amount of damage.

Through it all, the NSA -- whose tools were leaked -- has remained consistently silent. There's been no indication if the agency is working to mitigate the ongoing threat or whether it's far more concerned with discovering who left behind the malware toolkit first exposed by the ShadowBrokers.

It's unlikely we'll hear much being said publicly by the agency, but Rep. Ted Lieu has sent a letter to NSA chief Mike Rogers demanding answers. The letter [PDF] points out both attacks have been based on NSA exploits (ETERNALBLUE and ETERNALROMANCE). Lieu also states he fears the attacks seen in the past few weeks are only the "tip of the iceberg." The agency's refusal to discuss the attacks apparently isn't going to fly anymore.

Lieu makes two requests: the first is for the agency to see if it has some sort of magic "OFF" switch just laying around.

My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help step the attack, NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.

It's far more likely the NSA has information it would rather not share than it is the agency has a way to shut down this attack, much less prevent future variations on its ETERNAL theme. But that's directly related to the second part of Lieu's request: work with companies whose software is being exploited to prevent further attacks. If the NSA still has security holes it's hoping won't be patched anytime soon, the current situation would seem to call for a rethink of its exploit-hoarding M.O.

What may be in order is the NSA stepping up and playing defense. It has stated a desire to be a larger cog in the US cyberwar machinery, but often seems more interested in playing offense than pitching in to help on the defensive end. That may need to change quickly if the NSA isn't going to be seen as more of a problem than a solution.

from the backdoors-for-all dept

Nobody trusts anybody, and it's probably going to end up affecting end users the most. The Snowden leaks showed the NSA's Tailored Access Operations routinely intercepted network hardware to insert backdoors. The exploits leaked by the Shadow Brokers indicated the NSA was very active on the software exploit front as well.

Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems.

According to the article, multiple US officials and company executives are tracing the uptick in review demands to a downturn in US-Russian relations following Russia's 2014 annexation of Crimea. But the NSA's hardware operations were exposed in mid-2014, so it's hard to believe the Snowden effect isn't in play.

[Some] reviews are… conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.

Since these companies aren't willing to give up their share of an $18.4 billion market, compromises are being made. Examinations of code are being done in "clean rooms," with conditions somewhat controlled by the companies being vetted. But this isn't always the case. Nor are these precautions necessarily enough to prevent those doing the vetting -- some linked to the Russian government -- from finding undiscovered security holes and flaws. The vetting may help keep Russian government agencies and private companies from being spied on by the US, but it's not going to do much to keep the Russian government from spying on Russian companies and Russian computer users.

So far, only one company has publicly announced its refusal to submit its software for vetting. Symantec has rejected testing by Echelon, a Moscow-based lab with some tenuous ties to the Russian military.

But for Symantec, the lab "didn't meet our bar" for independence, said spokeswoman Kristen Batch.

“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” said Batch, who added that the company did not believe Russia had tried to hack into its products.

The company also provides testing for the Russian Ministry of Defense and multiple law enforcement agencies. Echelon claims it's wholly independent from the Russian government, but those assertions haven't been enough to overcome Symantec's objections. Other companies (the article lists HP and IBM) have allowed their products to be tested by Echelon, but neither were willing to comment on this story.

The Russians are checking for US backdoors while potentially seeking to install their own. US companies are given the choice of possibly aiding in Russian domestic surveillance or being locked out of the market. Any lost sales here can at least be partially chalked up to the Snowden leaks. If so, the fallout from the leaks is still causing harm to US companies, years down the road.

from the feel-safer-yet? dept

Last year we noted how Russia had introduced a new surveillance bill promising to deliver greater security to the country. Of course, like in so many countries, the bill actually did the exact opposite -- not only mandating new encryption backdoors, but also imposing harsh new data-retention requirements on ISPs and VPN providers. As a result, some VPN providers like Private Internet Access wound up leaving the country after finding their entire function eroded and having some of their servers seized.

This year, Russia hopes to deliver the killing blow to the use of VPNs and other privacy-protection tools.

The Duma's (the lower house of the Russian parliament) Information and Technology Committee has approved controversial draft legislation that would ban anonymity on messenger apps entirely. It's part of a crackdown on anonymous journalists that have (stop us if this sounds familiar) been leaking details on many of the sordid occurrences inside the often-corrupt Russian political machinery. Expected to take effect in 2018, the new law would require messenger users to verify their identities using their phone numbers, with Russian mobile phone operators expected to assist the government with this effort.

In concert, a bill has been submitted attempting to effectively ban VPN use entirely. In Russia, broadband users have increasingly turned to VPNs to avoid the growing-list of censored websites. To help thwart such usage, the bill would not only impose steep fines on VPN providers that don't agree to block blacklisted websites, but would require that ISPs terminate these companies' connection to the internet should they not comply:

As it stands, the bill requires local telecoms watchdog Rozcomnadzor to keep a list of banned domains while identifying sites, services, and software that provide access to them. Once the bypassing services are identified, Rozcomnadzor will send a notice to their hosts, giving them a 72-hour deadline to reveal the identities of their operators.

After this stage is complete, the host will be given another three days to order the people running the circumvention-capable service to stop providing access to banned domains. If the service operator fails to comply within 30 days, all Internet service providers will be required to block access to the service and its web presence, if it has one.

In short: help us censor the internet or you won't be allowed to do business in Russia. 100 VPN providers are already blocked in Russia for one reason or another, and Opera scaled back its Russian operations last November after Russian telecom regulator Roskomnadzor pressured it to include website filtering in the integrated VPN (now included in its Opera browser for free). The bill would also levy additional penalties on Russian search engines, forcing them to remove all links to sites Rozcomnadzor determines to be ban-worthy.

Like countless similar efforts across numerous countries, this is all framed as an utterly necessary step to thwart piracy, combat extremism and ensure the safety and security of the Russian people. But as with comparable proposals in the States and elsewhere, these proposals undermine encryption and essential security and privacy tools, making the general public notably less secure. They're also an expensive game of Whack-a-Mole as users looking for privacy simply flee to services like Tor or Zeronet, ensuring these services will be the demonized bogeymen of tomorrow.

from the lifecomesatyoufast.gif dept

Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light.

While there is no evidence the breached voting software supplier resulted in compromised votes, what's suggested by the NSA document is something just as disruptive: an IRL denial-of-service attack that would affect American voters.

Pamela Smith, president of election integrity watchdog Verified Voting, agreed that even if VR Systems doesn’t facilitate the actual casting of votes, it could make an alluring target for anyone hoping to disrupt the vote.

“If someone has access to a state voter database, they can take malicious action by modifying or removing information,” she said. “This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote, and it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”

That being said, the US election process is somewhat hack-proof, though certainly not by design or as the result of security enhancements. Election hacking can apparently be somewhat mitigated by operational inefficiencies and this nation's democratic process bottleneck. Voting databases are decentralized, with very little coordination/connection between county, state, and federal systems. To make things even more unpredictable, the Electoral College decides who gets to become president, rather than millions of votes cast through a vast variety of voting machines.

Perhaps the most astonishing aspect of this leak is how quickly the government tracked the leaker down. The Intercept asked the government for comment on May 30th. By June 3rd, the government's investigation had narrowed to one suspect: government contractor Reality Winner [emoji combining WTF/irony].

Although the government's press release and affidavit [PDF] only refer to The Intercept as "News Outlet," the dates of the document cited match up to those in the published document. How did the NSA track down Winner so quickly? Internal printer audits and email records.

The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet.

In short, bad opsec and worse opsec. There's more:

The U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased, suggesting they had been printed and hand-carried out of a secured space.

These creases can plainly be seen in the document published by The Intercept.

According to the FBI, Winner has already confessed to these actions. And it's tough to see this information as being of the whistleblower variety as it doesn't expose any sort of surveillance overreach, but rather the sort of work we actually expect the NSA to be engaged in. The only possible motive for Winner's decision to hand this document over to journalists is the (somewhat justifiable) fear the Trump Administration would do its best to ensure this information was never made public.

On the other hand, the document is clearly of public interest, seeing as it details apparently ongoing efforts by a foreign country to disrupt the election process. It also highlights just how many security holes remain unaddressed, despite years of warning by security researchers. Even if the Russian government never performs another election hack, it has already planted several seeds of doubt in the legitimacy of the system -- something that will cause every election result going forward to be questioned by those who come out on the losing end.